Privacy Policy

Your privacy is of significance to DYNAPAY Limited, 18 King William St, Monument, London, United Kingdom, EC4N 7BP (“DYNAPAY”, “we”, “us”, “our”) and we are committed to maximally avoid from risky processing of Your personal data, as well as to process as much data as it absolutely necessary for achievement of our purposes or providing services on Your request taking into consideration proportionality principle.

This Privacy policy:

  • aims to give you information on how DYNAPAY processes Your data,
  • is instrumental in DYNAPAY personal data protection system and it is binding to every DYNAPAY’s employee and subcontractor.

DYNAPAY invokes the Privacy policy concluding agreements and maintaining relationships with data protection authorities.

DYNAPAY processes Your personal data in material compliance with the following principal provisions:

  • DYNAPAY respects and complies with requirements of General Data Protection Regulation (GDPR), Data Protection Act 2018 and other national and international laws.1
  • We are fair and maximally transparent with You regarding Your data processing and protection.
  • All the information is being provided to You in concise, transparent, intelligible and easily accessible form, using plain and clear language.
  • We will not process Your data without having a legal basis and specified, explicit and legitimate purposes.
  • By default, we are processing only a personal data, which:

    • Is necessary to achieve the current purpose.
    • Is accurate and, where necessary, kept up to date.
  • Upon achievement of a purpose we are either deleting Your personal data or anonymizing it, so it is impossible to identify you.
  • When data is being processed for scientific or historical research purposes or statistical purposes, we are applying anonymization or additional safeguards preventing any undue impact on Your person (functional separation).
  • We are performing and constantly improving organizational and technical measures ensuring Your data protection against any accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to the data.
  • We are conducting staff training on regular basis regarding data protection matters.
  • We are welcoming Your active involvement on Your data updating, as well as assisting in upgrading of this Privacy policy and our data protection system.
  • We are carrying out all the necessary measures, so the relevant safeguards to be included into agreements with other data controllers and processors, as well as responsibilities are clearly shared subject to the requirements of LAWS.
  • There are LAWS-compliant information and communication technologies (ICT) are being used in processing Your data. We are ensuring ICT integrity, confidentiality, availability and resilience in line with relevant risk level.
  • Our employees hold accountable for any breaches of this Privacy policy.
What data does DYNAPAY collect about you?

We are collecting different categories of data depending on Your request of services, requirements of the LAWS and our legitimate interests conducting our business.

Separately from other data, there are specified category of data as cookies. We are using cookies when you are using our web based Platforms (e.g. browsing website, applications of DYNAPAY, sending email and text messages, communicating through social media accounts). The cookies mostly relate to the necessity of providing services You have explicitly requested (e.g., to open a website or some section of it, making payments etc.) or Your authentication during login process.

Additionally, when You are visiting our website, we may collect certain information automatically from your device in order to provide services requested by you, ensure security and for statistical purposes; automatic collection might include Your IP address, device type, browser-type (such as Chrome, Safari, Firefox or Internet Explorer), Your operating system and carrier, as well as details of any referring website or exit pages.

Please, find additional information on usage of cookies HERE.

Why do we need Your data?

Depending on relationship (client, employment, partner agreement, website user etc.) DYNAPAY collects only a personal data that is minimally necessary for achieving purposes of processing (e.g. conclude the employment contract, make a payment, detect fraud, prevent identity thefts, send You special offers, handle Your requests and claims, render customer support etc.).

Main groups of processing purposes You could find HERE.

Who is responsible for Your data protection?

The controller (also operator of website) involved in processing is liable for confidentiality, integrity and availability of Your data, as well as for the damage caused by his activities which infringe the LAWS and/ or Your privacy. A processor shall be liable only where it has not complied with obligations of the LAWS specifically directed to processors or where it has acted outside or contrary to lawful instructions of the controller.

In case, DYNAPAY processes the data of payment cards provided by merchant, the latter will be the controller and DYNAPAY will be a processor, who is acting on behalf of the controller. Though, DYNAPAY might also be a controller for some data of payment cards in order to comply with legal and contractual obligations (e.g. performing the agreement with the partner DYNAPAY shall store records of every transaction to substantiate incomes).

When the data is collected we will definitely either inform You on the current controller or it will arise out of document/ web form you are filling in.

If You are providing a data of other data subjects, You shall be solely liable for obtaining consent from them or using other legal basis for their data processing (e.g. contract, power of attorney etc.).

Disclosure after collecting

Generally, we do not share Your data with third parties.

The only way DYNAPAY is doing so, when it has a legal basis and processing purpose for doing so. Disclosing Your data, we require recipients to follow LAWS and data protection measures when they process Your data.

Our Platforms and services may contain links to third-party websites, products and services. We may also use or offer products or services from third parties − for example, a third-party app.

When You use third party service or clicking to third party website, our Privacy policy is not applicable. Please, contact the relevant third party to obtain their privacy rules.

Depending on processing purposes, we might share Your data with associated companies of DYNAPAY, our services and goods suppliers, as well as other third parties. Other detailed information on our sharing practices you can find HERE.

DYNAPAY SAFEGUARDS

Security Measures

Considering the state of art and costs of implementation, the nature, scope, context and purposes of processing, as well as the risks of varying likelihood and severity for Your rights and freedoms posed by the processing, DYNAPAY ensures and permanently improves security measures to protect Your data from the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored or otherwise processed.

To achieve the highest security level, we are performing organizational and technical measures. The most typical measures you could find HERE.

Your rights

The scope of Your rights (as data subjects) is set under each current processing purpose and legal basis which will be informed to You when DYNAPAY collects / You are providing Your data to us.

In case we are a processor, You should take it into account exercising Your rights, as the main contact for data subjects should remain data controller. In such cases we will definitely provide possible support in contacting the relevant controller.

Right to be informed

Every time DYNAPAY collects Your data as the controller, we will inform You at least of the identity of the controller, the purposes of data processing and sources where to find additional information.

In the event we are collecting Your data from other controllers (processors) You will be also informed in a timely manner.

So, our communication is made in intelligible, plain and clear way, but texts are not burdensome, we will not inform you on details you already know.

In case, the processing of the Your data is based on consent, You will definitely have the right to withdraw from consent any time. Please, be informed the withdrawal of consent is not affecting the lawfulness of processing based on consent before its withdrawal.

There might be also other cases where Your rights to be informed are limited.

Right of access

You are entitled to receive from DYNAPAY a confirmation as to whether or not Your data is being processed by us, and if so, You have a right to access the relevant data.

Right to rectify and add

You are entitled to obtain from DYNAPAY without undue delay the rectification of inaccurate personal data. Considering purposes of processing You are also entitled to supplement incomplete personal data.

Right to erasure (“right to be forgotten”)

You are entitled to obtain from DYNAPAY the erasure of Your data. In cases set by LAWS we shall delete Your data.

Unfortunately, since the exceptional character of exercitation of such rights the LAWS set restrictions when Your request might be refused.

Right to restriction of processing

In certain cases You are entitled to file a request, so DYNAPAY restrict You data processing. Notwithstanding the restriction of processing, we will still be entitled to:

  • Store Your data;
  • Process Your data in any manner, if:

    • You have consented to it;
    • We have to establish, exercise or defense our legal claims;
    • The rights of another person shall be protected;
    • There are reasons of important public interest.
Right to data portability

You are entitled to transmit Your data, which You have provided to DYNAPAY, to another controller, where:

  • the processing is based on consent or on a contract; and
  • the processing is carried out by automated means.

Unfortunately, there might be cases, when Your data transmission to another controller is not technically feasible. In this regard we will try to do our best in providing maximum support, so another controller receives Your data.

Right to object

In case DYNAPAY processes Your data:

  • the performance of a task carried out in the public interest, or
  • in the exercise of official authority vested in us, or
  • for the purposes of the legitimate interests pursued by us or by a third party,

You are entitled to object against such processing, specifying in Your request the particular situation (reason for objection).

In such cases we will not process Your data unless we demonstrate compelling legitimate grounds for the processing which override Your interests, rights and freedoms or for the establishment, exercise or defense of legal claims.

There are also other cases set by LAWS, when You are entitled to object, as well as conditions under which the right to object might be exercised.

Your rights regarding automated individual decision-making, including profiling

You are entitled not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning You or similarly significantly affects You, except where the decision:

  • is necessary for entering into, or performance of, a contract between You and the current controller of DYNAPAY; or
  • is authorized by LAWS to which DYNAPAY is subject and which also lays down suitable measures to safeguard Your rights and freedoms and legitimate interests; or
  • is based on Your explicit consent.
Right to lodge a complaint

Without prejudice to any other administrative or judicial remedy, You are entitled to lodge a complaint with a supervisory authority, in particular in the EU Member State of Your habitual residence, place of work or place of the alleged infringement if You consider that the processing of Your data infringes LAWS and we are not able to settle a claim in an amicable way.

RESTRICTIONS OF YOUR RIGHTS AND PRINCIPAL PROVISIONS

Please, be informed that each of Your right and some of principal provisions set herein might be restricted due to legislative measures, mostly to the advantage of other natural and legal persons, as well as national interests and public security.

Data transfers to third countries and international organizations

DYNAPAY might transfer Your data to third country providing safeguards and security measures, so the level of Your data protection is not undermined. Such transfers might take place in cases, if:

  • we have to perform an agreement concluded between You and DYNAPAY;
  • we have to carry out pre-contractual measures in order to prepare a contract;
  • if you consented to the proposed transfer;
  • transfer is based on an international agreement, such as a mutual legal assistance treaty, in force between the requesting third country and the EU or EU Member State;
  • transfer is based on standard data protection clauses adopted by European Commission;
  • other cases may be applicable (you shall be informed prior to any such transfer).
How does DYNAPAY treat Your requests?

Receiving Your request on exercising Your rights under this Privacy policy, we will process Your request without undue delay and in any event within one month of receipt of the request, except in cases, we are not able to identify you (we are either not processing Your personal data or it was anonymized/ erased). One-month period may be extended by two further months where necessary, taking into account the complexity and number of the requests. We will inform You of any such extension within one month of receipt of the request, together with the reasons for the delay.

In case, Your requests are manifestly unfounded or excessive, DYNAPAY might refuse to act on the request explaining reasons or You might be charged a reasonable fee considering the administrative costs of providing the information or communication or taking the action requested.

In case we have reasonable doubts concerning the identity of the natural person (also authorized representative) making the request, we may request the provision of additional information necessary to confirm the identity of such a natural person.

You are entitled to receive one copy of Your data free of charge. For any further copies we may charge a reasonable fee based on administrative costs. The right to obtain a copy shall not adversely affect the rights and freedoms of others.

DYNAPAY CONTACTS

In cases You have any questions regarding Your data protection or You have any comments on this Privacy policy, please, contact our Data Protection Officer: privacy@dynapay.co.uk

Any other questions regarding our services and current data processing shall be addressed to info@dynapay.co.uk.

AMENDMENTS AND EFFECTIVE DATE

DYNAPAY might make minor amendments to this Privacy policy which shall not leave negative impact to Your privacy, except if LAWS set otherwise.

In case of material changes DYNAPAY will definitely publish such amendments and amended policy on our website and, as far as possible, notify you either by email or by pop-up windows when you are entering our website next time.

Amendments shall enter into force on the Effective Date.

Actual version of the Privacy policy is published on our website.

The Effective Date of Privacy policy: November 12, 2018

The term “processing” means:

any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

The term “personal data” means:

any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

Personally identifiable information shall mean the same as personal data

Why do we need Your data?

DYNAPAY carries on business projects where we have to process Your personal data in order to:

  • Ensure convenient payment solutions when You using Your e-Wallet and payment cards;
  • Manage Your e-Wallets;
  • Render payment services on your request;
  • Render web-based services upon Your request;
  • Provide you with value added services and advertising;
  • Perform other implied activities (support, IT, security, marketing, HR etc.) within DYNAPAY and in collaboration with our business partners and 3rd parties;
  • Ensure professional staff for all the above;
  • Сomply with legal obligations (e.g. tax, accounting, FCA requirements etc.).
We might collect the following data categories2:
  • Regarding payment card holders:

    • Identification data (name, surname, date of birth, demographics etc.)
    • Personal Credentials (passport, ID etc.)
    • Financial data (bank name, transaction details, payment card data, billing address, tax residency, etc.)
  • Regarding employees:

    • Workplace data (communication, organizational matters, security, taxes, bookkeeping, employment record management etc.)
    • Experiences, skills (professional, personal etc.)
    • Education (institutions, credentials etc.)
    • Legal status (ownership, litigations, insurance etc.)
    • Social data (social media, cookies, communication means, contact lists, events etc.)
    • Sensitive (special category data, e.g. assessment of the working capacity of the employees, trade union membership)
  • Other data categories (e.g. cookies)
2 The list of categories is non-exhaustive and might be supplemented from time to time
The term “controller” means:

the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data.

The term “processor” means:

a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.

How we share Your data

Associated companies: We may share Your data among DYNAPAY’s associated companies, as well as combine it with other information solely for the administrative purposes – to organize internal workflow, enhance our efficiency, provide and improve our services, Platforms’ content and make our advertising more convenient and better matching Your expectations.

Corporate affiliates and change of control: We may share Your data in case of change of control/owners of DYNAPAY.

Service providers: We may share Your data with suppliers who perform services on our behalf and have agreed in writing to protect and not further disclose Your information.

Payment service providers: If you make payments with your bank card through the Platforms, we may share Your data with the payment service providers and branded payment card systems for validation (e.g. VISA/ Mastercard).

Business partners: We may share Your data with various business partners. Some of these business partners may use Your data for fraud prevention. We may also share Your information for ask our partner to create a survey, form, application, or questionnaire, for the purpose to know the degree of Your satisfaction with our services. Some of these business partners may use Your data for online behavioral advertising purposes, or to offer you services or products that we believe you may be interested in. We may also share Your information as otherwise described to you at the time of collection. We may also share anonymous aggregated usage information with partners.

Information shared in public: If you provide us a review of Your experience using payment cards, you authorize us to publish it on all our Platforms under the screen name you provided. You also authorize us to aggregate it with other reviews.

Authorities: We may disclose data if required by LAWS, for example to law enforcement or other authorities.

DYNAPAY TYPICAL SECURITY MEASURES
  • Using of specified information security standards regarding payment card processing – PCI DSS;
  • Authorization and authentication mechanisms;
  • Content encryption;
  • Pseudonymization;
  • Audit trials;
  • Access restriction;
  • Backup systems;
  • Physical security:

    • Security staff;
    • Pass entry system;
    • Alarm system;
    • Video surveillance;
    • Limited access to server rooms;
    • Fire alarm;
    • Protection from power cuts;
  • Internal control procedures;
  • Timely communication on data protection breaches, maximally mitigating possible adverse effects;
  • Firewalls;
  • Strong Password Criteria;
  • Penetration tests;
  • Incorporated internal policies, procedures and documents;
  • Staff training;
  • Etc.
Information we are providing to You, if we are collecting Your data directly from You
  • the identity and the contact details of the controller;
  • the contact details of the data protection officer;
  • the purposes of the processing for which the personal data are intended as well as the legal basis for the processing;
  • the legitimate interests pursued by the controller or by a third party, where applicable;
  • the recipients or categories of recipients of the personal data, if any;
  • where applicable, the fact that the controller intends to transfer personal data to a third country or international organization and the existence or absence of an adequacy decision by the Commission, or reference to the appropriate or suitable safeguards and the means by which to obtain a copy of them or where they have been made available;
  • the period for which the personal data will be stored, or if that is not possible, the criteria used to determine that period;
  • the existence of the right to request from the controller access to and rectification or erasure of personal data or restriction of processing concerning the data subject or to object to processing as well as the right to data portability;
  • where the processing is based on consent, the existence of the right to withdraw consent at any time, without affecting the lawfulness of processing based on consent before its withdrawal;
  • the right to lodge a complaint with a supervisory authority;
  • whether the provision of personal data is a statutory or contractual requirement, or a requirement necessary to enter into a contract, as well as whether the data subject is obliged to provide the personal data and of the possible consequences of failure to provide such data;
  • the existence of automated decision-making, including profiling, referred to in GDPR Article 22(1) and (4) and, at least in those cases, meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject.
Information we are providing to You, if we are collecting Your data indirectly
  • the identity and the contact details of the controller and, where applicable, of the controller's representative;
  • the contact details of the data protection officer, where applicable;
  • the purposes of the processing for which the personal data are intended as well as the legal basis for the processing;
  • the categories of personal data concerned;
  • the recipients or categories of recipients of the personal data, if any;
  • where applicable, the fact that the controller intends to transfer personal data to a third country or international organization and the existence or absence of an adequacy decision by the Commission, or reference to the appropriate or suitable safeguards and the means by which to obtain a copy of them or where they have been made available;
  • the period for which the personal data will be stored, or if that is not possible, the criteria used to determine that period;
  • the legitimate interests pursued by the controller or by a third party, where applicable;
  • the existence of the right to request from the controller access to and rectification or erasure of personal data or restriction of processing concerning the data subject or to object to processing as well as the right to data portability;
  • where the processing is based on consent, the existence of the right to withdraw consent at any time, without affecting the lawfulness of processing based on consent before its withdrawal;
  • the right to lodge a complaint with a supervisory authority;
  • from which source the personal data originate, and if applicable, whether it came from publicly accessible sources;
  • the existence of automated decision-making, including profiling, referred to in GDPR Article 22(1) and (4) and, at least in those cases, meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject.
In case the data is not collected directly from You we shall provide the information referred to in paragraphs 1 and 2:

(a) within a reasonable period after obtaining the personal data, but at the latest within one month, having regard to the specific circumstances in which the personal data are processed;
(b) if the personal data are to be used for communication with You, at the latest at the time of the first communication; or
(c) if a disclosure to another recipient is envisaged, at the latest when the personal data are first disclosed.

The right to be informed shall not apply, if:
  • obtaining or disclosure of Your data is expressly laid down by LAWS, or
  • the provision of such information proves impossible or would involve a disproportionate effort, in particular for processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes; in such cases we will provide appropriate safeguards.

In case the data is not collected from You, we are prohibited to inform you on it, if and insofar as the data must remain confidential subject to an obligation of professional secrecy regulated by LAWS, including a statutory obligation of secrecy

You are entitled to access to the following information:
  • the purposes of the processing;
  • the categories of personal data concerned;
  • the recipients or categories of recipient to whom the personal data have been or will be disclosed, in particular recipients in third countries or international organizations;
  • where possible, the envisaged period for which the personal data will be stored, or, if not possible, the criteria used to determine that period;
  • the existence of the right to request from us rectification or erasure of Your data or restriction of processing of Your data or to object to such processing;
  • the right to lodge a complaint with a supervisory authority;
  • where the personal data are not collected from You, any available information as to their source;
  • the existence of automated decision-making, including profiling, referred to in GDPR Article 22(1) and (4) and, at least in those cases, meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for You;
  • about appropriate safeguards we are providing regarding Your data transfers to a third country or to an international organization taking into account GDPR Article 46.
Cases, when You have the right to obtain from the current controller of DYNAPAY the erasure of Your data:
  • Your data are no longer necessary in relation to the purposes for which they were collected or otherwise processed;
  • You withdraw consent on which the processing is based and we have no other legal ground for the processing;
  • You object to the processing pursuant to GDPR Article 21(1) and there are no overriding legitimate grounds for the processing, or You object to the processing pursuant to GDPR Article 21(2);
  • the personal data have been unlawfully processed;
  • the personal data have to be erased for compliance with a legal obligation in LAWS to which the we are subject;
  • the personal data have been collected in relation to the offer of information society services referred to in GDPR Article 8(1).
The erasure of a personal data is not applicable to the extent that processing is necessary:
  • for exercising the right of freedom of expression and information;
  • for compliance with a legal obligation which requires processing by LAWS to which we are subject or for the performance of a task carried out in the public interest or in the exercise of official authority vested in us;
  • for reasons of public interest in the area of public health in accordance with points (h) and (i) of Article 9(2) as well as Article 9(3) of GDPR;
  • for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with GDPR Article 89(1) in so far as the right referred to in paragraph 1 is likely to render impossible or seriously impair the achievement of the objectives of that processing; or
  • for the establishment, exercise or defense of legal claims.
You are entitled to obtain from us restriction of processing where one of the following applies:
  • You are contesting the accuracy of Your data, for a period enabling us to verify the accuracy of Your data;
  • the processing is unlawful and You oppose the erasure of Your data and request the restriction of their use instead;
  • we no longer Your data for the purposes of the processing, but they are required by You for the establishment, exercise or defense of legal claims;
  • You have objected to processing pursuant to GDPR Article 21(1) pending the verification whether our legitimate grounds override those of Your interests.
GDPR Article 21 (2)-(6)

Where personal data are processed for direct marketing purposes, the data subject shall have the right to object at any time to processing of personal data concerning him or her for such marketing, which includes profiling to the extent that it is related to such direct marketing.

Where the data subject objects to processing for direct marketing purposes, the personal data shall no longer be processed for such purposes.

At the latest at the time of the first communication with the data subject, the right referred to in paragraphs 1 and 2 shall be explicitly brought to the attention of the data subject and shall be presented clearly and separately from any other information.

In the context of the use of information society services, and notwithstanding Directive 2002/58/EC, the data subject may exercise his or her right to object by automated means using technical specifications.

Where personal data are processed for scientific or historical research purposes or statistical purposes pursuant to GDPR Article 89(1), the data subject, on grounds relating to his or her particular situation, shall have the right to object to processing of personal data concerning him or her, unless the processing is necessary for the performance of a task carried out for reasons of public interest.

'profiling'

means any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyze or predict aspects concerning that natural person's performance at work, economic situation, health, personal preferences, interests, reliability, behavior, location or movements;

GDPR Article 23
Restrictions

1. Union or Member State law to which the data controller or processor is subject may restrict by way of a legislative measure the scope of the obligations and rights provided for in Articles 12 to 22 and Article 34, as well as Article 5 in so far as its provisions correspond to the rights and obligations provided for in Articles 12 to 22, when such a restriction respects the essence of the fundamental rights and freedoms and is a necessary and proportionate measure in a democratic society to safeguard:

(a) national security;
(b) defense;
(c) public security;
(d) the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, including the safeguarding against and the prevention of threats to public security;
(e) other important objectives of general public interest of the Union or of a Member State, in particular an important economic or financial interest of the Union or of a Member State, including monetary, budgetary and taxation a matters, public health and social security;
(f) the protection of judicial independence and judicial proceedings;
(g) the prevention, investigation, detection and prosecution of breaches of ethics for regulated professions;
(h) a monitoring, inspection or regulatory function connected, even occasionally, to the exercise of official authority in the cases referred to in points (a) to (e) and (g);
(i) the protection of the data subject or the rights and freedoms of others;
(j) the enforcement of civil law claims.

2. In particular, any legislative measure referred to in paragraph 1 shall contain specific provisions at least, where relevant, as to:

(a) the purposes of the processing or categories of processing;
(b) the categories of personal data;
(c) the scope of the restrictions introduced;
(d) the safeguards to prevent abuse or unlawful access or transfer;
(e) the specification of the controller or categories of controllers;
(f) the storage periods and the applicable safeguards taking into account the nature, scope and purposes of the processing or categories of processing;
(g) the risks to the rights and freedoms of data subjects; and
(h) the right of data subjects to be informed about the restriction, unless that may be prejudicial to the purpose of the restriction.

GDPR Article 22

Automated individual decision-making, including profiling

1. The data subject shall have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning him or her or similarly significantly affects him or her.

2. Paragraph 1 shall not apply if the decision:

(a) is necessary for entering into, or performance of, a contract between the data subject and a data controller;
(b) is authorized by Union or Member State law to which the controller is subject and which also lays down suitable measures to safeguard the data subject's rights and freedoms and legitimate interests; or
(c) is based on the data subject's explicit consent.

3. In the cases referred to in points (a) and (c) of paragraph 2, the data controller shall implement suitable measures to safeguard the data subject's rights and freedoms and legitimate interests, at least the right to obtain human intervention on the part of the controller, to express his or her point of view and to contest the decision.

4. Decisions referred to in paragraph 2 shall not be based on special categories of personal data referred to in Article 9(1), unless point (a) or (g) of Article 9(2) applies and suitable measures to safeguard the data subject's rights and freedoms and legitimate interests are in place.

GDPR Article 8 (1)

Where point (a) of Article 6(1) applies, in relation to the offer of information society services* directly to a child, the processing of the personal data of a child shall be lawful where the child is at least 16 years old. Where the child is below the age of 16 years, such processing shall be lawful only if and to the extent that consent is given or authorized by the holder of parental responsibility over the child.

* ‘information society service’ means a service as defined in point (b) of Article 1(1) of Directive (EU) 2015/1535 of the European Parliament and of the Council

GDPR Article 21 (1)

The data subject shall have the right to object, on grounds relating to his or her particular situation, at any time to processing of personal data concerning him or her which is based on point (e) or (f) of Article 6(1) of GDPR, including profiling based on those provisions. The controller shall no longer process the personal data unless the controller demonstrates compelling legitimate grounds for the processing which override the interests, rights and freedoms of the data subject or for the establishment, exercise or defense of legal claims.

GDPR Article 21 (2)

Where personal data are processed for direct marketing purposes, the data subject shall have the right to object at any time to processing of personal data concerning him or her for such marketing, which includes profiling to the extent that it is related to such direct marketing.

GDPR Article 9

Processing of special categories of personal data

1. Processing of personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person's sex life or sexual orientation shall be prohibited.

2. Paragraph 1 shall not apply if one of the following applies:

(a) the data subject has given explicit consent to the processing of those personal data for one or more specified purposes, except where Union or Member State law provide that the prohibition referred to in paragraph 1 may not be lifted by the data subject;
(b) processing is necessary for the purposes of carrying out the obligations and exercising specific rights of the controller or of the data subject in the field of employment and social security and social protection law in so far as it is authorized by Union or Member State law or a collective agreement pursuant to Member State law providing for appropriate safeguards for the fundamental rights and the interests of the data subject;
(c) processing is necessary to protect the vital interests of the data subject or of another natural person where the data subject is physically or legally incapable of giving consent;
(d) processing is carried out in the course of its legitimate activities with appropriate safeguards by a foundation, association or any other not-for-profit body with a political, philosophical, religious or trade union aim and on condition that the processing relates solely to the members or to former members of the body or to persons who have regular contact with it in connection with its purposes and that the personal data are not disclosed outside that body without the consent of the data subjects;
(e) processing relates to personal data which are manifestly made public by the data subject;
(f) processing is necessary for the establishment, exercise or defense of legal claims or whenever courts are acting in their judicial capacity;
(g) processing is necessary for reasons of substantial public interest, on the basis of Union or Member State law which shall be proportionate to the aim pursued, respect the essence of the right to data protection and provide for suitable and specific measures to safeguard the fundamental rights and the interests of the data subject;
(h) processing is necessary for the purposes of preventive or occupational medicine, for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services on the basis of Union or Member State law or pursuant to contract with a health professional and subject to the conditions and safeguards referred to in paragraph 3;
(i) processing is necessary for reasons of public interest in the area of public health, such as protecting against serious cross-border threats to health or ensuring high standards of quality and safety of health care and of medicinal products or medical devices, on the basis of Union or Member State law which provides for suitable and specific measures to safeguard the rights and freedoms of the data subject, in particular professional secrecy;
(j) processing is necessary for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Article 89(1) based on Union or Member State law which shall be proportionate to the aim pursued, respect the essence of the right to data protection and provide for suitable and specific measures to safeguard the fundamental rights and the interests of the data subject.

3. Personal data referred to in paragraph 1 may be processed for the purposes referred to in point (h) of paragraph 2 when those data are processed by or under the responsibility of a professional subject to the obligation of professional secrecy under Union or Member State law or rules established by national competent bodies or by another person also subject to an obligation of secrecy under Union or Member State law or rules established by national competent bodies.

4. Member States may maintain or introduce further conditions, including limitations, with regard to the processing of genetic data, biometric data or data concerning health.

GDPR Article 46

Transfers subject to appropriate safeguards

1. In the absence of a decision pursuant to Article 45(3), a controller or processor may transfer personal data to a third country or an international organization only if the controller or processor has provided appropriate safeguards, and on condition that enforceable data subject rights and effective legal remedies for data subjects are available.

2. The appropriate safeguards referred to in paragraph 1 may be provided for, without requiring any specific authorization from a supervisory authority, by:

(a) a legally binding and enforceable instrument between public authorities or bodies;
(b) binding corporate rules in accordance with Article 47;
(c) standard data protection clauses adopted by the Commission in accordance with the examination procedure referred to in Article 93(2);
(d) standard data protection clauses adopted by a supervisory authority and approved by the Commission pursuant to the examination procedure referred to in Article 93(2);
(e) an approved code of conduct pursuant to Article 40 together with binding and enforceable commitments of the controller or processor in the third country to apply the appropriate safeguards, including as regards data subjects' rights; or
(f) an approved certification mechanism pursuant to Article 42 together with binding and enforceable commitments of the controller or processor in the third country to apply the appropriate safeguards, including as regards data subjects' rights.

3. Subject to the authorization from the competent supervisory authority, the appropriate safeguards referred to in paragraph 1 may also be provided for, in particular, by:

(a) contractual clauses between the controller or processor and the controller, processor or the recipient of the personal data in the third country or international organization; or
(b) provisions to be inserted into administrative arrangements between public authorities or bodies which include enforceable and effective data subject rights.

4. The supervisory authority shall apply the consistency mechanism referred to in Article 63 in the cases referred to in paragraph 3 of this Article.

5. Authorizations by a Member State or supervisory authority on the basis of Article 26(2) of Directive 95/46/EC shall remain valid until amended, replaced or repealed, if necessary, by that supervisory authority. Decisions adopted by the Commission on the basis of Article 26(4) of Directive 95/46/EC shall remain in force until amended, replaced or repealed, if necessary, by a Commission Decision adopted in accordance with paragraph 2 of this Article.

GDPR Article 89 (1)

Processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes, shall be subject to appropriate safeguards, in accordance with this Regulation, for the rights and freedoms of the data subject. Those safeguards shall ensure that technical and organizational measures are in place in particular in order to ensure respect for the principle of data minimization. Those measures may include pseudonymization provided that those purposes can be fulfilled in that manner. Where those purposes can be fulfilled by further processing which does not permit or no longer permits the identification of data subjects, those purposes shall be fulfilled in that manner.

Information Society Services

means any service normally provided for remuneration, at a distance, by electronic means and at the individual request of a recipient of services.

For the purposes of this definition:

(i) ‘at a distance’ means that the service is provided without the parties being simultaneously present;

(ii) ‘by electronic means’ means that the service is sent initially and received at its destination by means of electronic equipment for the processing (including digital compression) and storage of data, and entirely transmitted, conveyed and received by wire, by radio, by optical means or by other electromagnetic means;

(iii) ‘at the individual request of a recipient of services’ means that the service is provided through the transmission of data on individual request.

An indicative list of services not covered by this definition is set out in Annex I;

Indicative list of services not covered by the second subparagraph of point (b) of Article 1(1)

1. Services not provided ‘at a distance’

Services provided in the physical presence of the provider and the recipient, even if they involve the use of electronic devices:

(a) medical examinations or treatment at a doctor's surgery using electronic equipment where the patient is physically present;
(b) consultation of an electronic catalogue in a shop with the customer on site;
(c) plane ticket reservation at a travel agency in the physical presence of the customer by means of a network of computers;
(d) electronic games made available in a video arcade where the customer is physically present.

2. Services not provided ‘by electronic means’

  • services having material content even though provided via electronic devices:

    (a) automatic cash or ticket dispensing machines (banknotes, rail tickets);
    (b) access to road networks, car parks, etc., charging for use, even if there are electronic devices at the entrance/exit controlling access and/or ensuring correct payment is made,

  • offline services: distribution of CD-ROMs or software on diskettes,
  • services which are not provided via electronic processing/inventory systems:

    (a) voice telephony services;
    (b) telefax/telex services;
    (c) services provided via voice telephony or fax;
    (d) telephone/telefax consultation of a doctor;
    (e) telephone/telefax consultation of a lawyer;
    (f) telephone/telefax direct marketing.

3. Services not supplied ‘at the individual request of a recipient of services’

Services provided by transmitting data without individual demand for simultaneous reception by an unlimited number of individual receivers (point to multipoint transmission):

(a) television broadcasting services (including near-video on-demand services), covered by point (e) of Article 1(1) of Directive 2010/13/EU;
(b) radio broadcasting services;
(c) (televised) teletext.

Points (e) and (f) of Article 6(1) of GDPR

1. Processing shall be lawful only if and to the extent that at least one of the following applies:
...

(e) processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;
(f) processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.

Point (a) of Article 6(1) of GDPR

1. Processing shall be lawful only if and to the extent that at least one of the following applies:

(a) the data subject has given consent to the processing of his or her personal data for one or more specific purposes;
...

Hereinafter GDPR together with Data Protection Act 2018 and other national/ international laws referred to as “LAWS”.